tinc - Apr 2015 - Help needed with Tinc Setup on remote hosts and lots of ISPs / Failover Problems between ISPs

Comments below

On Fri, 24 Apr 2015, Guus Sliepen wrote:
> On Thu, Apr 16, 2015 at 10:09:05PM +0200, Raimund Sacherer wrote:
> 
> > At first I really like the idea of having 3 Daemons on the
headquarter, one for each ISP. The firewall should forward the port 655 from
each ISP's public IP Address to my internal server and to the ports 655,
656, 657 respectively
> [...]
> > My question now is, for every tinc daemon I need a tun or tap device,
so how should the routing be done correctly? I have the VPN Network
10.69.0.0/11.
> > 
> > Right now I have one tinc daemon and one tun0 device. I route the
complete 10.96.0.0/11 to tun0. How do I have to proceed if I want this
10.96.0.0/11 be available from all 3 tinc-deamons (which from the internet-side
will have every one it's own public IP with a different ISP)?
> > 
> > The idea would be that I:
> > 
> > * do not have to care if a line goes down, remote offices just
reconnect to one of the other lines
> > * in the event of a severe degradation of a line I just stop the
corresponding daemon, all remote offices which had used this internet line just
reconnect to one of the others
> > * do not really care to which ISP every remote office connects
> 
> In this case, I think it's best if you do not add any routes in the
> tinc-up script. So there, you just configure the address of the
> interface, but don't supply a netmask:
> 
> #!/bin/sh
> ifconfig $INTERFACE 10.96.x.y
Won't a netmask of 255.255.255.255 be better than not specifying any? 
Otherwise it falls back to old classful adressing and would assume 
10.0.0.0/8 - which is clearly always wrong.

# ifconfig eth2 10.96.3.4
# route -n |grep eth2
10.0.0.0        0.0.0.0         255.0.0.0       U     0   0   0 eth2

Or are tun devices different in this regard?
> Then, assuming you run tinc in router Mode (the default), you should
> create a script named "subnet-up" in the same directory as
tinc-up, and
> put this in it:
> 
> #!/bin/sh
> ip addr add $SUBNET dev $INTERFACE
> 
> And a "subnet-down" script:
> 
> #!/bin/sh
> ip addr del $SUBNET dev $INTERFACE
Don't you mean "ip route add/del" here?
> This will cause tinc to automatically add and remove routing entries,
> depending on which nodes are reachable. You will get multiple routing
> entries for the same subnet but to different interfaces. One of them
> will be chosen by the kernel based on the order of addition, but you
> don't care about it so it's fine. If tinc detects that a node goes
down,
> the subnet-down script will remove the offending route, and the kernel
> will then use another one. And if you manually stop a tincd its routes
> will be removed as well.
> 
> 
c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

On Fri, Apr 24, 2015 at 10:26:18PM +0200, Sven-Haegar Koch wrote:
> > #!/bin/sh
> > ifconfig $INTERFACE 10.96.x.y
> 
> Won't a netmask of 255.255.255.255 be better than not specifying any?
> Otherwise it falls back to old classful adressing and would assume
> 10.0.0.0/8 - which is clearly always wrong. [...] Or are tun devices
> different in this regard?
Hm, it seems that ifconfig indeed treats tun and tap differently, if you
don't specify a netmask it applies a /32 for tun interfaces and a /8 for
tap.

Iproute is better I guess:

#!/bin/sh
ip addr add 10.96.x.y dev $INTERFACE
ip link set dev $INTERFACE up
> > Then, assuming you run tinc in router Mode (the default), you should
> > create a script named "subnet-up" in the same directory as
tinc-up, and
> > put this in it:
> > 
> > #!/bin/sh
> > ip addr add $SUBNET dev $INTERFACE
> > 
> > And a "subnet-down" script:
> > 
> > #!/bin/sh
> > ip addr del $SUBNET dev $INTERFACE
> 
> Don't you mean "ip route add/del" here?
Yes, thanks for correcting me.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20150424/67e27feb/attachment-0001.sig>

Thank you very much Guus and Sven, 

that sounds indeed very exciting, can't wait to try it out. 

Best regards, 
Ray 

----- Original Message ----- 
> From: "Guus Sliepen" <guus at tinc-vpn.org>
> To: tinc at tinc-vpn.org
> Sent: Friday, April 24, 2015 10:35:48 PM
> Subject: Re: Help needed with Tinc Setup on remote hosts and lots of ISPs /
> Failover Problems between ISPs
> On Fri, Apr 24, 2015 at 10:26:18PM +0200, Sven-Haegar Koch wrote:
> > > #!/bin/sh
> > > ifconfig $INTERFACE 10.96.x.y
> >
> > Won't a netmask of 255.255.255.255 be better than not specifying
any?
> > Otherwise it falls back to old classful adressing and would assume
> > 10.0.0.0/8 - which is clearly always wrong. [...] Or are tun devices
> > different in this regard?
> Hm, it seems that ifconfig indeed treats tun and tap differently, if you
> don't specify a netmask it applies a /32 for tun interfaces and a /8
for
> tap.
> Iproute is better I guess:
> #!/bin/sh
> ip addr add 10.96.x.y dev $INTERFACE
> ip link set dev $INTERFACE up
> > > Then, assuming you run tinc in router Mode (the default), you
should
> > > create a script named "subnet-up" in the same directory
as tinc-up, and
> > > put this in it:
> > >
> > > #!/bin/sh
> > > ip addr add $SUBNET dev $INTERFACE
> > >
> > > And a "subnet-down" script:
> > >
> > > #!/bin/sh
> > > ip addr del $SUBNET dev $INTERFACE
> >
> > Don't you mean "ip route add/del" here?
> Yes, thanks for correcting me.
> --
> Met vriendelijke groet / with kind regards,
> Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
--